#!/bin/bash
#set -x
#set -v

PATH=/sbin:$PATH

## set up firewall and masq rules when lan is up, but before uplinks are up
if [ "${IFACE}" == "eth0" ] ; then

  iptables -F
  iptables -t nat -F
  iptables -t mangle -F
  iptables -X

  ## policy
  iptables -P INPUT DROP

  # Always accept loopback traffic
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

  # let LAN machines access gateway itself
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT

  # slightly stricter is lines like:
  #iptables -A INPUT -m state --state NEW -i eth0 -p ALL -m mac --mac-source 08:00:27:5A:FB:91 -j ACCEPT
  # mac filtering - subvertable with mac spoofing. When testing use ip route flush all

  #iptables -t nat -A POSTROUTING -j MASQUERADE
  #don't set this - it would masq every interface to every other one. Instead, do it per output interface 
  
  ## squid redirection runs from muggles_init because networking must be up first to see if it is running
  # having bypass defined is ok even if squid isn't running, so do that here.
  iptables -t nat -N squid_bypass 
  #iptables -t nat -I PREROUTING -s $(</etc/muggles/cidr_ip_eth0) -i eth0 -p tcp --dport 80 -j squid_bypass
  iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j squid_bypass
  ## drop -s to keep it simple

  echo 1 > /proc/sys/net/ipv4/ip_forward &&  echo "enabled forwarding iptables"
  echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore && echo "enable arp_ignore on all interfaces"
  echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter && echo "enabled rp_filter on all interfaces"

  ## or permanently set above in /etc/sysctl.conf with:
  ##   net.ipv4.ip_forward=1 
  ##   net.ipv4.conf.all.arp_ignore = 1 
  ##   net.ipv4.conf.all.rp_filter = 1

  ## arp_ignore=0 means any interface will claim the ip on arp, 1 means only the interface with the ip responds.
  ## rp_filter default is 0. 1 means, if current packet's return path is through another interface than this one, then drop current packet.
  ##   (Done by looking at source ip from current packet, and figuring if the route to that source goes via current interface).
  ##   Only really need it off for bonding interfaces, surely? For single uplinks it is irrelevant. (remember to ip route flush cache when you change the setting)
 
fi


if [[ "${IFACE}" =~ eth[1-9][0-9]* ]] ; then


  ## iptables sometimes errors during load
  wrap_iptables_line ()
  {
  error_count=1 ; maximum_tries=5
  until ( "$@" || [ $error_count -eq $maximum_tries ] )
  do error_count=$(( $error_count + 1 )) ; sleep 1;  done
  }


  #Allow established connections, from the outside to lan
  wrap_iptables_line iptables -A FORWARD -i ${IFACE} -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  # Allow outgoing connections from the LAN side.
  wrap_iptables_line iptables -A FORWARD -i eth0 -o ${IFACE} -j ACCEPT
  
  #don't forward outside connections to LAN (masq handles that)
  wrap_iptables_line iptables -A FORWARD -i ${IFACE} -o eth0 -j REJECT

  # masq connections for the route to do with that interface
  wrap_iptables_line iptables -t nat -A POSTROUTING -o ${IFACE} -j MASQUERADE
  
  # slightly stricter is lines like:
  #iptables -t nat -A POSTROUTING -m state --state NEW -o ${IFACE} -p ALL -m mac --mac-source 08:00:27:5A:FB:91 -j MASQUERADE
  # mac filtering - subvertable with mac spoofing. (when testing, use ip route flush all)
  
  ## we assume one interface per ip
  interfaceip=$(ip -4 -o addr show dev ${IFACE} | sed -n 's/^.*inet \(.*\)\/.*$/\1/p')

  ##don't allow people on internet to access web interface or dns on gateway (using gateway interfaceip)
  wrap_iptables_line iptables -A INPUT -i ${IFACE} -d $interfaceip -m multiport -p tcp --destination-ports 80,53 -j REJECT --reject-with tcp-reset
  wrap_iptables_line iptables -A INPUT -i ${IFACE} -d $interfaceip -m multiport -p udp --destination-ports 80,53 -j DROP

  ## accept ssh (maybe add rate limiter to stop brute-force?)
  wrap_iptables_line iptables -A INPUT -i ${IFACE} -d $interfaceip -p tcp --destination-port 22 -j ACCEPT

fi

